TL;DR: Broad internal protocols, excessive reachability, standing privilege, and weak containment readiness let a single compromise become enterprise-wide disruption, according to Zero Networks’ analysis of 54 trillion activities across 312 enterprise environments in its 2026 Lateral Movement Exposure Report. The real issue is not breach prevention alone, but how far an attacker can travel once inside.
At a glance
What this is: This report examines how enterprise networks enable lateral movement and identifies ten structural risks that turn a single compromise into business-wide disruption.
Why it matters: It matters because IAM, PAM, and segmentation teams must control internal reachability and identity scope, not just block initial access.
By the numbers:
- The report analyzed 54 trillion activities across 312 enterprise environments.
- A single compromised host can reach 85% of internal systems in the first hop.
- 2025 was 27 seconds
- Roughly 80% of organizations have deployed AI agents, and two-thirds have no governance policies for them.
👉 Read Zero Networks' 2026 lateral movement exposure report
Context
Lateral movement is the phase where a compromise stops being an endpoint problem and becomes an enterprise containment problem. In practice, it means an attacker uses trusted internal pathways, identity permissions, and control-plane reachability to move beyond the first foothold.
This report is fundamentally about why many networks remain optimized for access rather than containment. For IAM, PAM, and NHI governance teams, the challenge is not only who can enter, but how far any identity, workload, or agent can travel once inside.
The article also reflects a broader shift in enterprise identity posture: access is being granted across humans, service accounts, cloud APIs, and AI agents, yet the rules for restricting east-west movement lag behind the way modern environments actually operate.
Key questions
Q: What breaks when internal segmentation is not aligned to identity scope?
A: When segmentation does not match identity scope, a valid credential can authenticate far beyond the access it actually needs. That mismatch lets attackers pivot laterally after the first compromise and turns routine administrative connectivity into an attack path. The failure is not authentication alone, but the absence of boundaries around where that identity can move once authenticated.
Q: Why do standing privileges increase lateral movement risk so much?
A: Standing privileges give an attacker a ready-made route through the environment if a credential is stolen or misused. Because the identity already works across systems, the attacker does not need to wait for new approvals or create new access. In practice, that means one compromised account can become broad internal reach almost immediately.
Q: What do security teams get wrong about lateral movement prevention?
A: They often treat lateral movement as a detection problem when it is also a design problem. If internal protocols stay open, control planes stay reachable, and privileged identities stay broad, the attacker still has room to move even when alerts fire. Prevention alone is incomplete unless the network itself limits travel.
Q: Who is accountable when a compromised identity reaches critical systems?
A: Accountability sits across identity governance, network architecture, and platform ownership because no single control layer can contain lateral movement by itself. IAM teams own privilege scope, infrastructure teams own reachability, and security teams own containment logic. If any of those layers assumes the others will compensate, the blast radius grows.
Technical breakdown
Why internal protocols become lateral movement highways
Protocols such as RDP, SMB, SSH, WinRM, WMI, RPC, and DNS are not inherently insecure. The problem is that they are often reachable across broad internal segments and remain trusted by design, which makes them ideal movement paths after initial compromise. Once an attacker has a foothold, these protocols let them authenticate, enumerate, and pivot without needing to break perimeter defences again. In identity terms, the network is granting the attacker the same mobility that administrators rely on for operations. That is why broad protocol exposure is a containment failure, not just a hygiene issue.
Practical implication: close administrative protocols by default and open them only for the shortest necessary session.
Standing privilege and excessive reachability widen blast radius
Standing privilege means an identity can reach more systems than it needs for day-to-day work. When that is combined with flat internal connectivity, a compromised credential can leap between servers, cloud services, and control planes with very little resistance. This report’s key point is that privilege and reachability multiply each other. A service account, admin credential, or AI-connected workflow may be legitimate in isolation, but if it can authenticate broadly and traverse the environment freely, the result is an attacker-controlled route map. Least privilege has to apply to both identity scope and network scope.
Practical implication: pair identity scoping with segmentation so a valid credential cannot authenticate everywhere it can technically connect.
Why containment readiness matters more than breach prevention alone
Breach prevention aims to stop the initial compromise, but containment determines whether that compromise becomes an outage. The report’s breakout and containment figures show why response speed alone is not enough when attackers can move in seconds and defenders often need months to identify and contain an incident. Containment readiness requires visibility into east-west traffic, the ability to isolate compromised paths quickly, and policy controls that do not depend on manual intervention. In mature environments, blast-radius reduction is treated as an architectural property rather than an incident response afterthought.
Practical implication: build identity-aware isolation and quarantine capabilities into the network before an incident forces the issue.
Threat narrative
Attacker objective: The attacker objective is to turn one initial compromise into broad internal access, data exposure, service disruption, or ransomware propagation.
- Entry occurs when an attacker obtains a foothold through a compromised identity, workload, or laptop that already has internal trust relationships.
- Escalation follows when broad protocol exposure, standing privilege, and excessive reachability let the attacker pivot across systems without forcing new access requests.
- Impact arrives when the attacker reaches control planes, backups, databases, or other critical systems and converts one compromise into operational disruption.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Containment, not perimeter defense, is the real control objective. This report reinforces a long-standing identity security truth: initial access is only the beginning of the incident. Once an attacker is inside, the question becomes how much of the environment that identity can still reach. Teams that focus exclusively on blocking entry miss the operational reality that lateral movement is what turns compromise into downtime.
Identity blast radius is now a measurable design problem. The report’s data on internal reachability and standing privilege shows that identity scope and network topology are inseparable. A credential that can authenticate broadly but should not traverse the environment creates a blast radius that is larger than most governance models admit. Practitioners should treat blast radius as a first-class governance metric, not an abstract risk term.
Overprivileged service accounts are a containment failure, not just an IAM hygiene issue. Service identities now outnumber human identities by large margins in most enterprises, yet many remain inactive, over-scoped, or poorly monitored. That means the most operationally useful identity in the environment may also be the easiest path for an attacker to reuse. This is where NHI governance and network containment converge.
AI-connected systems make the lateral movement problem more dynamic. The report correctly notes that cloud platforms, Kubernetes, and AI agents create communication patterns that static segmentation often fails to model. That does not mean these systems are autonomous in every case, but it does mean their identity and connectivity patterns can expand the attack surface faster than manual governance cycles can track. The implication is that identity controls must keep pace with runtime connectivity.
Closed-by-default architecture is becoming the practical baseline for resilient networks. The market is moving toward architectures that combine just-in-time access, per-session authorization, and identity-aware segmentation. That trend validates the idea that governance must follow the path of execution, not only the path of onboarding. For practitioners, the lesson is to govern reachability as tightly as authentication.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity failures repeat when governance gaps remain.
- For a broader view of breach patterns and root causes, see 52 NHI Breaches Analysis for recurring compromise and lifecycle failure patterns.
What this signals
Identity containment is becoming the practical test of resilience. Security programmes that still optimise primarily for prevention will struggle in environments where internal movement happens faster than manual response cycles. The next governance question is whether your controls can shrink blast radius across humans, workloads, and AI-connected systems before disruption spreads.
Service accounts and other non-human identities need to be treated as mobility risks, not just credential objects. The moment they can traverse broad internal pathways, they become operational routes for attackers as well as for legitimate automation. That means IAM, PAM, and segmentation teams have to plan together rather than in separate queues.
With 72% of organisations already suspecting or confirming NHI breaches, the governance gap is no longer theoretical. The practical signal is simple: if your environment still relies on standing connectivity and broad internal trust, containment will arrive too late.
For practitioners
- Map east-west trust paths by identity type Inventory which humans, service accounts, workloads, and AI-connected systems can reach critical internal segments, then remove paths that are not operationally required. Focus on the protocols that routinely carry administrative traffic, not only internet-facing exposure.
- Close administrative protocols by default Treat RDP, SMB, SSH, WinRM, WMI, and similar protocols as on-demand access paths. Require per-session authorization and MFA for each exception, and remove standing internal exposure wherever business operations allow it.
- Reduce standing privilege before you tune detection Review which identities have broad internal reach but rarely use it, especially service accounts and privileged operators. Remove unused permissions, scope access to specific systems, and time-box elevated access so a stolen credential has less movement room.
- Isolate control-plane systems from routine user reach Place Active Directory, IAM platforms, backup systems, CI/CD controllers, and cloud management planes into dedicated management zones. Verify that ordinary workstations and non-admin workloads cannot directly reach these assets without explicit authorization.
Key takeaways
- This report shows that lateral movement is a containment failure, not just a perimeter failure.
- The scale of internal reachability and standing privilege explains why one compromise can become an enterprise outage.
- Practitioners should treat blast-radius reduction, identity scope, and closed-by-default connectivity as linked controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Internal reachability and privileged NHI exposure are core risks in this report. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0006 , Credential Access | The report centers on attacker movement after credential compromise. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and path restriction underpin the report's containment model. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly addresses the standing access problem described here. |
| NIST Zero Trust (SP 800-207) | Closed-by-default connectivity and continuous verification reflect zero trust principles. |
Use zero trust segmentation to restrict internal movement and authorize each connection explicitly.
Key terms
- Lateral Movement: Lateral movement is the stage of an intrusion where an attacker moves from the first compromised asset to additional systems, accounts, or control planes. It depends on trust, reachability, and privilege that already exist inside the environment, which is why containment controls matter so much.
- Identity Blast Radius: Identity blast radius is the amount of an environment an identity can reach if it is compromised or misused. In practice, it combines privilege scope, internal reachability, and control-plane access, making it a useful way to measure how far one identity failure can spread.
- Closed-By-Default Architecture: Closed-by-default architecture is a containment model where internal pathways, administrative protocols, and sensitive management planes are inaccessible unless explicitly opened for a specific need. It reduces attacker mobility by making reachability temporary, scoped, and easier to audit.
- Standing Privilege: Standing privilege is access that remains continuously available instead of being issued only when needed. For identities, especially non-human ones, it increases the chance that a stolen or misused credential can be turned into immediate internal movement without additional approval or context.
What's in the full article
Zero Networks' full report covers the operational detail this post intentionally leaves for the source:
- The report's full benchmark data on protocol exposure, reachability, and privilege sprawl across 312 enterprise environments.
- Practical containment patterns for RDP, SMB, SSH, WinRM, and other administrative paths that need on-demand control.
- The report's breakdown of AI agent exposure and why broad standing access changes lateral movement risk.
- Implementation guidance for closed-by-default segmentation and identity-driven microsegmentation.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org